Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Attack vector for Composition Media (MIB2 non-nav) #1

Closed
mattcabb opened this issue Mar 15, 2021 · 8 comments
Closed

Attack vector for Composition Media (MIB2 non-nav) #1

mattcabb opened this issue Mar 15, 2021 · 8 comments
Labels
enhancement New feature or request

Comments

@mattcabb
Copy link
Contributor

It's not available on VW website anymore, but there was a single update package designed for all VW MIB2 devices (High/Std, Technisat/Delphi/Harman, nav/non-nav, ZR/PQ) - RSDB_VW_Multi_EU_v1.10.10.7z with radio station logo database.

Worth looking into it?
@olli991
Copy link
Owner

olli991 commented Mar 15, 2021
edited
Loading

If you manage to get this update it's worth it. But would only work for Delphi because on Delphi the metainfo bug should work, except newest devices. They fixed this on newest ones.
On technisat the metainfo bug isn't working.

If you have this update please upload it or send it to me :) t.me/olli991

@olli991 olli991 added the enhancement New feature or request label Mar 15, 2021
@mattcabb mattcabb mentioned this issue Mar 15, 2021
Closed
@olli991
Copy link
Owner

olli991 commented Mar 17, 2021
edited
Loading

After inspecting the file I sadly don't see any attack vectors for technisat units in there.
But this could be a structure for a future toolbox for every unit. Maybe we can link Technisat variants to the current Online Approval Update, the other ones should have the "behind signature" metainfo bug and could be modified to what we want.
But RadioDB is custom SWDL... maybe not compatible with linked Online Approval Update... needs testing.

@olli991 olli991 closed this as completed Apr 12, 2021
@mattcabb
Copy link
Contributor Author

mattcabb commented Nov 1, 2021

I just found this "behind signature" bug research that you mentioned above.
https://www.contextis.com/en/blog/a-code-signing-bypass-for-the-vw-polo

Is there any info about which software versions had this bug? Was this MIB2-wide or just a specific vendor in specific FW?

@lprot
Copy link
Collaborator

lprot commented Nov 1, 2021

I just found this "behind signature" bug research that you mentioned above. https://www.contextis.com/en/blog/a-code-signing-bypass-for-the-vw-polo

Is there any info about which software versions had this bug? Was this MIB2-wide or just a specific vendor in specific FW?

All MIB2 STD Delphi before the latest revision.

@mattcabb
Copy link
Contributor Author

mattcabb commented Nov 1, 2021
edited
Loading

Thanks for clearing that up. Damn Technisat 😉
So it's possible to patch Delphi with SD card alone, right?

@olli991
Copy link
Owner

olli991 commented Nov 1, 2021

Should be in theory. We wanted to test it but we both do not have a unit here to test it. I tested with one guy so far and we had no success. It's a bit complicated when you not have a unit yourself.

@zbadguy
Copy link

zbadguy commented Mar 16, 2022

Hello olli991
Any more progress on non nav zr/pq?
Can't the toolbox be merged with the radio station db?

@olli991
Copy link
Owner

olli991 commented Mar 16, 2022

radio db sadly is no option. currently no progress or further investigations on this topic. Only emmc possible

@grumpygibbon grumpygibbon mentioned this issue Jul 1, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mattcabb @lprot @olli991 @zbadguy